Android wallpaper app that steals your data was downloaded by millions

scoopex

scoopex

scoopex

Associate
Joined
15 Nov 2002
Posts
1,817
questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.

That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today.

“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

http://mobile.venturebeat.com/2010/...-steals-your-data-was-downloaded-by-millions/ :D
 
Thankfully, the security of other smartphone platforms (iOS, Symbian, almost certainly WP7) is a lot better and this kind of scam wouldn't be possible.
 
Tunney said:
Thankfully, the security of other smartphone platforms (iOS, Symbian, almost certainly WP7) is a lot better and this kind of scam wouldn't be possible.
Click to expand...

Complete nonsense!

Lookout have also confirmed that this type of data-gathering hidden in apps affects around 25% of free apps available for iOs.

Edit : Maybe not 25% - I'm sure I read that figure earlier on the NeoWin article on this subject but I can't see that figure any more. Anyway, my point still stands, iOs is as affected by this as I'm sure Symbian and WinMo are).
 
Last edited:
I've just looked at what this requests to access; it says phone calls; state and information. That would put me off installing it anyway.
 
Meeko said:
Complete nonsense!

Lookout have also confirmed that this type of data-gathering hidden in apps affects around 25% of free apps available for iOs.
Click to expand...

An application on iOS or Symbian has no way to grab the voicemail password due to data caging and system permissions. I doubt WP7's approach to application security will allow it either.

Some iOS applications may collect personal data but nothing as sensitive as your voicemail password. The only way to collect that kind of data would be to jailbreak the phone.
 
Tunney said:
An application on iOS or Symbian has no way to grab the voicemail password due to data caging and system permissions. I doubt WP7's approach to application security will allow it either.

Some iOS applications may collect personal data but nothing as sensitive as your voicemail password. The only way to collect that kind of data would be to jailbreak the phone.
Click to expand...

So it's ok that they can get all the other info? :p
 
Neodite said:
So it's ok that they can get all the other info? :p
Click to expand...

Can they? Probably not for most of the items listed by Lookout. IMSI is relatively straightforward to grab (but harmless), the rest would be almost impossible with jailbreaking or the user knowing about it.
 
Ah so you don't really know then do you :p

Apple products have just as many holes as any other.... How do you think Jailbreaking is possible?
 
Neodite said:
Apple products have just as many holes as any other.... How do you think Jailbreaking is possible?
Click to expand...

Jailbreaking and malware are two separate issues.

The problem with malware is that, unlike jailbreaking, it doesn't require a flaw in the operating system to work. Malware targets a flaw in the user. It is designed to trick a user into downloading and executing a piece of code that the user expects to do something different.

Symbian used to be the prime malware target until it severely tightened up its security. These days, if a Symbian application wants to do something potentially dangerous (access files outside of it's own sandbox, make a phone call) then the application has to go through an independent test house before it can be released for download. The more dangerous the API used, the more rigorous the testing becomes.

Apple copied a lot of ideas from Symbian. iOS apps sit in their own little sandbox, unable to access most of the system directly. If an application uses a more powerful private API, it will get rejected from the app store. Similarly, if it does something other than what it's supposed to do then it will get rejected. Some apps do slip through, but they're fixed very fast.

Android is great because it's open, but that openness is a double-edged sword. The lack of any real vetting on the Android Marketplace means the downloading software for Android is not much safer than downloading software for Windows without a virus checker. The only warning you get is at install time and most users click "OK" before reading dialogs. If you're tech savvy, malware on Android is not a big deal. If you aren't tech savvy, you could end up downloading something harmful.

Please don't take what I'm saying to mean "my phone is better than your phone". I'm a cross platform developer these days. I don't hold a grudge against any OS (well, apart from maybe Windows Mobile classic :p).
 
So two chaps sporting apple computers slate android. Interesting. Im sure its true but I'm sure there is more to it than this story lets on.
 
http://www.androidcentral.com/rogue-android app-stealing-data-according-security-firm

More details to this story.

Hi Jerry,

I wanted to reach out to you regarding the wallpaper app we recently discussed at Blackhat to clarify a few things.

Specifically, the wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password).

Also, it's important to note that the applications were estimated by androidlib to have between 1 and 4 million downloads (not necessarily the same thing as 1-4 million users).

Finally, while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

I'm happy to answer any more questions you have.

Thanks,
Kevin

Kevin Mahaffey
Founder, CTO
Lookout, Inc.
Click to expand...

The original article by mobilebeat

http://mobile.venturebeat.com/2010/...-steals-your-data-was-downloaded-by-millions/

falsely made alarmist claims that browsing history and text messages were stolen. It still has the false claim that your voicemail password is stolen.
 
Last edited:
I guess we need a firewall of some sort on android now :p

a lot of apps seem to use features that you wouldn't think it would use like some games (one of the sudoku games spring to mind).
 
can anyone actually identify which wallpaper app this is? my friend has an android wallpaper app and i'd like to inform him if it may be leaking potentially private data.
 
You must log in or register to reply here.
Back
Top Bottom